Service Control Policies

• Policy documents (JSON) used to set permission boundaries for AWS accounts within an organization.

• Do NOT grant permissions, only restrict what actions can be performed.

• Even apply to the root user of an account.

---

📌 Where Can SCPs Be Attached?

1. Root of the organization → affects all accounts in the org.

2. Organizational Unit (OU) → affects:

   • Accounts in the OU.

   • All nested OUs and accounts beneath it.

3. Individual AWS Accounts → affects only those accounts.

---

🔁 How SCPs Inherit

• SCPs inherit down the organization tree.

• Attach at root → impacts entire organization.

• Attach to OU → impacts that OU and all children (accounts + nested OUs).

• Attach to account → impacts just that one account.

---

🚫 Management Account Exception

• SCPs do NOT apply to the management account, even if attached.

• The management account is exempt from all SCP restrictions.

---

🧱 Key Characteristics

• Define maximum permissions an account can have.

• Must work with IAM policies (IAM grants, SCP limits).

• Think of SCPs as a fence—they set the outer boundary for what’s allowed.